[CLUE-Tech] Netfilter Log Message
Timothy Klein
teece at silverklein.net
Thu Aug 9 11:38:43 MDT 2001
I have been getting lots of this, too. Somebody is knocking on your
web port, and your firewall ain't answering the door.
Ah, Code Red!
* Jeremiah Stanley (miah at miah.org) wrote:
> Can anyone decrypt this for me? :)
>
> Aug 9 10:31:36 larry kernel: Netfilter: IN=eth1 OUT=
> MAC=00:a0:cc:d0:d1:ef:00:30:80:23:6d:8c:08:00 SRC=24.178.31.64
> DST=24.178.96.233 LEN=48 TOS=0x00 PREC=0x00 TTL=119 ID=42185 DF PROTO=TCP
> SPT=4135 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
The 'IN' section tells you what ethernet card the request came in on. 'OUT' is
the same, but empty in this case. 'MAC' is the mac address on your thernet
card. 'SRC' is the address that originated this querry. 'DST' is is the
address it came to (yours, I presume). The next few packets describe stuff
about the packet headers and such, which I am not that great at: (LEN, TOS,
PREC, TTL, ID, DF). 'PROTO' tells you what network protocal it was (tcp, udp,
icmp). 'SPT' is the port on the originating machnine, and 'DPT' is the port on
the destination machine. That is the part that gives it away as Code Red, port
80 is the html port. You can find out what ports do what by looking in
/etc/services. Ports above 1024 are unprivelaged ports, and not usually
associated with a specific function. Any program can use them. The last
packets, (WINDOW, RES, SYN, UGRP) is more packet info that I am no good at.
HTH,
Tim
--
==============================================
== Timothy Klein || teece at silverklein.net ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20010809/f5effedf/attachment.bin
More information about the clue-tech
mailing list